A new study by cyber security firm Shape Security found that more than 90% of the login traffic of online retailers actually comes from hackers using stolen login data. Last year, 1.4 billion passwords were hacked, leaked, and dumped into an online document that circulated the information for hackers to reuse. And selling the information on the dark web is a business for online hackers.

In this case, hackers are using an attack method called “credential stuffing” to breach a system and gain access to user credentials, which they later use to breach other online systems. When targeting online businesses, they are able to use this information to gain access to retail sites to steal gift cards and other products from companies.

According to Quartz, credential stuffing attacks are successful at least 3% of the time, which might sound like a small number, but the costs add up. Shape Security’s report found that these breaches can cost online business nearly $6 billion per year. And when consumer data is repeatedly targeted online, it can create a lack of trust in a company.

It’s not just e-commerce that report attacks. The study also found that web forums are frequent targets for hackers. Last year, Lady Gaga’s “Little Monsters” fan forum suffered a breach that impacted 1 million accounts. In the hack, dates of birth, usernames, email addresses, and passwords were all targeted and compromised. And these breaches happen regularly enough. Last year, 2.3 pieces of personal data were compromised in 51 reported breaches, according to the study.

In the meantime, internet users can make sure they are secure by frequently changing passwords, and using tools, like PassProtect to ensure their information hasn’t already been breached.